Vulnerabilities > B2Evolution > B2Evolution > 6.6.0

DATE CVE VULNERABILITY TITLE RISK
2022-09-28 CVE-2022-30935 Use of Insufficiently Random Values vulnerability in B2Evolution
An authorization bypass in b2evolution allows remote, unauthenticated attackers to predict password reset tokens for any user through the use of a bad randomness function.
network
low complexity
b2evolution CWE-330
critical
9.1
2021-02-09 CVE-2020-22841 Cross-site Scripting vulnerability in B2Evolution
Stored XSS in b2evolution CMS version 6.11.6 and prior allows an attacker to perform malicious JavaScript code execution via the plugin name input field in the plugin module.
3.5
2021-02-09 CVE-2020-22840 Open Redirect vulnerability in B2Evolution
Open redirect vulnerability in b2evolution CMS version prior to 6.11.6 allows an attacker to perform malicious open redirects to an attacker controlled resource via redirect_to parameter in email_passthrough.php.
5.8
2018-01-02 CVE-2017-1000423 Improper Input Validation vulnerability in B2Evolution
b2evolution version 6.6.0 - 6.8.10 is vulnerable to input validation (backslash and single quote escape) in basic install functionality resulting in unauthenticated attacker gaining PHP code execution on the victim's setup.
network
low complexity
b2evolution CWE-20
7.5
2017-01-23 CVE-2017-5553 Cross-site Scripting vulnerability in B2Evolution
Cross-site scripting (XSS) vulnerability in plugins/markdown_plugin/_markdown.plugin.php in b2evolution before 6.8.5 allows remote authenticated users to inject arbitrary web script or HTML via a javascript: URL.
3.5
2017-01-18 CVE-2016-7150 Cross-site Scripting vulnerability in B2Evolution
Cross-site scripting (XSS) vulnerability in b2evolution 6.7.5 and earlier allows remote authenticated users to inject arbitrary web script or HTML via the site name.
3.5
2017-01-18 CVE-2016-7149 Cross-site Scripting vulnerability in B2Evolution
Cross-site scripting (XSS) vulnerability in b2evolution 6.7.5 and earlier allows remote attackers to inject arbitrary web script or HTML via vectors related to the autolink function.
4.3
2017-01-15 CVE-2017-5494 Cross-site Scripting vulnerability in B2Evolution
Multiple cross-site scripting (XSS) vulnerabilities in the file types table in b2evolution through 6.8.3 allow remote authenticated users to inject arbitrary web script or HTML via a .swf file in a (1) comment frame or (2) avatar frame.
3.5
2017-01-15 CVE-2017-5480 Path Traversal vulnerability in B2Evolution
Directory traversal vulnerability in inc/files/files.ctrl.php in b2evolution through 6.8.3 allows remote authenticated users to read or delete arbitrary files by leveraging back-office access to provide a ..
network
low complexity
b2evolution CWE-22
5.5
2016-12-02 CVE-2016-9479 Credentials Management vulnerability in B2Evolution
The "lost password" functionality in b2evolution before 6.7.9 allows remote attackers to reset arbitrary user passwords via a crafted request.
network
low complexity
b2evolution CWE-255
5.0